Symbolic Model Checking and Verification Options How UPPAAL

Symbolic Model Checking …and Verification Options How UPPAAL really works & How to make UPPAAL really work Kim Guldstrand Larsen BRICS@Aalborg UCb

THE UPPAAL ENGINE Symbolic Reachability Checking IDA foredrag 20. 4. 99 UCb

UCb Zones From infinite to finite Symbolic state (set) (n, ) State (n, x=3. 2, y=2. 5 ) y y x TOV 2002, Lektion 3. Zone: conjunction of x-y<=n, x<=>n x Kim G. Larsen 3

UCb Symbolic Transitions 1<=x<=4 1<=y<=3 y y delays to n x>3 1<=x, 1<=y -2<=x-y<=3 x x y y 3<x, 1<=y -2<=x-y<=3 conjuncts to a x y: =0 x projects to 3<x, y=0 m Thus (n, 1<=x<=4, 1<=y<=3) =a => (m, 3<x, y=0) TOV 2002, Lektion 3. Kim G. Larsen 4

UCb Fischer’s Protocol analysis using zones 2 ª´ V Init V=1 A 1 X<10 Y<10 A 2 TOV 2002, Lektion 3. V: =1 V: =2 X: =0 Criticial Section X>10 B 1 Y: =0 B 2 Kim G. Larsen Y>10 V=1 V=2 CS 1 CS 2 5

UCb Fischers cont. A 1 X<10 Y<10 A 2 X: =0 V: =1 Y: =0 V: =2 Untimed case A 1, A 2, v=1 TOV 2002, Lektion 3. A 1, B 2, v=2 A 1, CS 2, v=2 Kim G. Larsen B 1, CS 2, v=1 X>10 B 1 Y>10 B 2 V=1 CS 1 V=2 CS 1, CS 2, v=1 6

UCb Fischers cont. A 1 X<10 Y<10 A 2 X: =0 V: =1 Y: =0 V: =2 Untimed case A 1, A 2, v=1 A 1, B 2, v=2 A 1, CS 2, v=2 B 1, CS 2, v=1 X>10 B 1 Y>10 B 2 V=1 CS 1 V=2 CS 1, CS 2, v=1 Taking time into account Y X TOV 2002, Lektion 3. Kim G. Larsen 7

UCb Fischers cont. A 1 X<10 Y<10 A 2 X: =0 V: =1 Y: =0 V: =2 Untimed case A 1, A 2, v=1 A 1, B 2, v=2 A 1, CS 2, v=2 B 1, CS 2, v=1 X>10 B 1 B 2 Y>10 V=1 CS 1 V=2 CS 1, CS 2, v=1 Taking time into account Y Y 10 10 X TOV 2002, Lektion 3. 10 X Kim G. Larsen 8

UCb Fischers cont. A 1 X<10 Y<10 A 2 X: =0 V: =1 Y: =0 V: =2 Untimed case A 1, A 2, v=1 A 1, B 2, v=2 A 1, CS 2, v=2 B 1, CS 2, v=1 X>10 B 1 B 2 Y>10 V=1 CS 1 V=2 CS 1, CS 2, v=1 Taking time into account Y Y 10 10 X TOV 2002, Lektion 3. 10 X Kim G. Larsen 9

UCb Fischers cont. A 1 X<10 Y<10 A 2 X: =0 V: =1 Y: =0 V: =2 Untimed case A 1, A 2, v=1 A 1, B 2, v=2 A 1, CS 2, v=2 B 1, CS 2, v=1 X>10 B 1 B 2 Y>10 V=1 CS 1 V=2 CS 1, CS 2, v=1 Taking time into account Y Y 10 10 X TOV 2002, Lektion 3. Y 10 10 X 10 Kim G. Larsen X 10

UCb Fischers cont. A 1 X<10 Y<10 A 2 X: =0 V: =1 Y: =0 V: =2 Untimed case A 1, A 2, v=1 A 1, B 2, v=2 A 1, CS 2, v=2 B 1, CS 2, v=1 X>10 B 1 B 2 Y>10 V=1 CS 1 V=2 CS 1, CS 2, v=1 Taking time into account Y Y 10 10 X TOV 2002, Lektion 3. Y 10 10 X 10 Kim G. Larsen X 11

UCb Forward Rechability Final Waiting Init -> Final ? INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else (explore) add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed Init TOV 2002, Lektion 3. UNTIL Waiting = Ø or Final is in Waiting Passed Kim G. Larsen 12

UCb Forward Rechability Final Waiting n, Z’ TOV 2002, Lektion 3. INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else (explore) add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed n, Z Init -> Final ? UNTIL Waiting = Ø or Final is in Waiting Passed Kim G. Larsen 13

UCb Forward Rechability Waiting m, U Final n, Z’ TOV 2002, Lektion 3. INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else /explore/ add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed n, Z Init -> Final ? UNTIL Waiting = Ø or Final is in Waiting Passed Kim G. Larsen 14

UCb Forward Rechability Waiting m, U Final n, Z’ TOV 2002, Lektion 3. INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else /explore/ add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed n, Z Init -> Final ? UNTIL Waiting = Ø or Final is in Waiting Passed Kim G. Larsen 15

Canonical Dastructures for Zones Difference Bounded Matrices UCb Bellman 1958, Dill 1989 Inclusion D 1 x<=1 y-x<=2 z-y<=2 z<=9 x 1 Graph y 0 9 TOV 2002, Lektion 3. x<=2 y-x<=3 y<=3 z-y<=3 z<=7 2 Graph 2 z ? D 2 2 ? x 3 3 0 7 z y 3 Kim G. Larsen 16

UCb Canonical Dastructures for Zones Difference Bounded Matrices Bellman 1958, Dill 1989 Inclusion D 1 x<=1 y-x<=2 z-y<=2 z<=9 x 1 Graph y 0 9 x<=2 y-x<=3 y<=3 z-y<=3 z<=7 2 Graph 2 z ? D 2 2 7 1 0 5 3 z 2 y 2 ? x 3 3 0 Shortest Path Closure x z y 3 Shortest Path Closure 2 x 3 3 0 6 z y 3 Canonical Form TOV 2002, Lektion 3. Kim G. Larsen 17

Canonical Dastructures for Zones Difference Bounded Matrices UCb Bellman 1958, Dill 1989 Emptyness x D x<=1 y>=5 y-x<=3 1 Graph 3 0 -5 y Negative Cycle iff empty solution set TOV 2002, Lektion 3. Kim G. Larsen 18

UCb Canonical Dastructures for Zones Difference Bounded Matrices Future y y D Future D x x 1<= x <=4 1<= y <=3 x 4 -1 0 TOV 2002, Lektion 3. 4 Shortest Path Closure 3 -1 1<=x, 1<=y -2<=x-y<=3 y x -1 0 3 3 -1 Kim G. Larsen y 2 Remove upper bounds on clocks x -1 0 -1 3 y 2 19

Canonical Dastructures for Zones UCb Difference Bounded Matrices Reset y y D {y}D x x 1<=x, 1<=y -2<=x-y<=3 x -1 0 -1 TOV 2002, Lektion 3. 3 y 2 y=0, 1<=x Remove all bounds involving y and set y to 0 x -1 0 0 0 Kim G. Larsen y 20

UCb Improved Datastructures Compact Datastructure for Zones RTSS’ 97 -4 -4 x 1 -x 2<=4 x 2 -x 1<=10 x 3 -x 1<=2 x 2 -x 3<=2 x 0 -x 1<=3 x 3 -x 0<=5 x 1 Shortest Path Closure O(n^3) x 2 10 3 2 2 x 0 x 1 x 2 4 3 3 2 x 0 x 3 5 -2 1 5 -2 2 x 3 -4 Shortest Path Reduction O(n^3) x 1 3 3 x 0 TOV 2002, Lektion 3. Kim G. Larsen x 2 2 2 Canonical wrt = Space worst O(n^2) practice O(n) x 3 21

UCb TOV 2002, Lektion 3. Kim G. Larsen 22

UCb TOV 2002, Lektion 3. Kim G. Larsen 23

Shortest Path Reduction UCb 1 st attempt Idea <=w An edge is REDUNDANT if there exists an alternative path of no greater weight THUS Remove all redundant edges! w Problem v w TOV 2002, Lektion 3. v and w are both redundant Removal of one depends on presence of other. Observation: If no zero- or negative cycles then SAFE to remove all redundancies. Kim G. Larsen 24

Shortest Path Reduction UCb Solution G: weighted graph TOV 2002, Lektion 3. Kim G. Larsen 25

Shortest Path Reduction UCb Solution G: weighted graph 1. Equivalence classes based on 0 -cycles. TOV 2002, Lektion 3. Kim G. Larsen 26

Shortest Path Reduction UCb Solution G: weighted graph 1. Equivalence classes based on 0 -cycles. 2. Graph based on representatives. Safe to remove redundant edges TOV 2002, Lektion 3. Kim G. Larsen 27

Shortest Path Reduction UCb Solution G: weighted graph 1. Equivalence classes based on 0 -cycles. 2. Graph based on representatives. Safe to remove redundant edges Canonical given order of clocks TOV 2002, Lektion 3. Kim G. Larsen 3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes 28

UCb Earlier Termination Waiting m, U Final n, Z’ TOV 2002, Lektion 3. INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else /explore/ add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed n, Z Init -> Final ? UNTIL Waiting = Ø or Final is in Waiting Passed Kim G. Larsen 29

UCb Earlier Termination Waiting m, U Final n, Z’ TOV 2002, Lektion 3. INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else /explore/ add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed n, Z Init -> Final ? UNTIL Waiting = Ø or Final is in Waiting Passed Kim G. Larsen 30

UCb Earlier Termination Waiting m, U Final n, Z 1 Init TOV 2002, Lektion 3. INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some (n, Z’) in Passed then STOP - else /explore/ add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed n, Z 2 Init -> Final ? n, Zk UNTIL Waiting = Ø or Final is in Waiting Passed Kim G. Larsen 31

Clock Difference Diagrams = Binary Decision Diagrams + Difference Bounded Matrices CDD-representations UCb CAV 99 z Nodes labeled with differences z Maximal sharing of substructures (also across different CDDs) z Maximal intervals z Linear-time algorithms for set-theoretic operations. z NDD’s Maler et. al z DDD’s Møller, Lichtenberg TOV 2002, Lektion 3. Kim G. Larsen 32

UCb TOV 2002, Lektion 3. Kim G. Larsen 33

UCb TOV 2002, Lektion 3. Kim G. Larsen 34

UCb Verification Options • Breadth-First • Depth-First • Clock Reduction • State Space Repr. • • • Reuse State Space • Diagnostic Trace Case Studies TOV 2002, Lektion 3. DBM Compact Over-approximation Under-approx Kim G. Larsen 35

UCb Representation of symbolic states (In)Active Clock Reduction x is only active in location S 1 x<7 S Definition x is inactive at S if on all path from S, x is always reset before being tested. x: =0 x>3 x<5 TOV 2002, Lektion 3. Kim G. Larsen 36

Representation of symbolic states Active Clock Reduction UCb S g 1 r 1 S 1 Definition x is inactive at S if on all path from g 2 gk S, x is always reset before being r 2 rk tested. S 2 Sk x<5 x>3 Only save constraints on active clocks TOV 2002, Lektion 3. Kim G. Larsen 37

When to store symbolic state. UCb State Space Reduction However, Passed list useful for efficiency No Cycles: Passed list not needed for termination TOV 2002, Lektion 3. Kim G. Larsen 38

When to store symbolic state. UCb State Space Reduction Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list TOV 2002, Lektion 3. Kim G. Larsen 39

UCb Reuse State Space Waiting prop 2 prop 1 Passed TOV 2002, Lektion 3. Kim G. Larsen A[] prop 1 A[] A[]. . . A[] prop 2 prop 3 prop 4 prop 5 propn Search in existing Passed list before continuing search Which order to search? 40

UCb Reuse State Space Waiting prop 2 prop 1 Passed Hashtable TOV 2002, Lektion 3. Kim G. Larsen A[] prop 1 A[] A[]. . . A[] prop 2 prop 3 prop 4 prop 5 propn Search in existing Passed list before continuing search Which order to search? 41

Over-approximation UCb Convex Hull y 5 3 1 1 3 5 x Convex Hull TOV 2002, Lektion 3. Kim G. Larsen 42

Under-approximation UCb Bitstate Hashing Waiting Final m, U n, Z’ Init TOV 2002, Lektion 3. Passed Kim G. Larsen 43

UCb Under-approximation Bitstate Hashing 1 Waiting Final m, U 0 Passed= Bitarray 1 n, Z 0 UPPAAL 8 Mbits Hashfunction F n, Z’ Init TOV 2002, Lektion 3. 0 Passed Kim G. Larsen 1 44

UCb Bitstate Hashing INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else /explore/ add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed(F(n, Z)) = 1 Passed(F(n, Z)) : = 1 UNTIL Waiting = Ø or Final is in Waiting TOV 2002, Lektion 3. Kim G. Larsen 45

UCb Best Options for Fischer TOV 2002, Lektion 3. Kim G. Larsen 46

UCb Best Options for Fischer TOV 2002, Lektion 3. Kim G. Larsen 47

UCb Overview z. Timed Automata (review) z. UPPAAL 3. 2 z. Symbolic Reachability & Datastructures y. DBMs y. Compact Datastructure y. CDDs z. Verification Options z. Beyond Model Checking TOV 2002, Lektion 3. Kim G. Larsen 48

UCb The State Explosion Problem Sys a b a c b a c b c Model-checking is either EXPTIME-complete or PSPACE-complete (for TA’s this is true even for a single TA) TOV 2002, Lektion 3. Kim G. Larsen 49

UCb Abstraction Sys a b a c b a c b Abs 3 TOV 2002, Lektion 3. c Preserving safety properties REDUCE TO 1 c 2 4 Kim G. Larsen 50

UCb Compositionality Sys a b a c b a c b Sys 1 Abs 1 1 3 TOV 2002, Lektion 3. c c Sys 2 2 4 1 2 3 4 Kim G. Larsen Abs 2 51

UCb Timed Simulation UPPAAL TOV 2002, Lektion 3. Kim G. Larsen 52

UCb Timed Simulation Applied to IEEE 1394 a Root contention protocol (Simons, Stoelinga) B&O Power Down Protocol (Ejersbo, Larsen, Skou, FTRTFT 2 k) tified n e d i s cation ency i f i d o M urg when gers e t n i d are and sh UPPAAL TOV 2002, Lektion 3. Kim G. Larsen 53

THE END (almost) IDA foredrag 20. 4. 99 UCb

UCb TOV 2002, Lektion 3. Kim G. Larsen 55

UCb TOV 2002, Lektion 3. Kim G. Larsen 56

UCb TOV 2002, Lektion 3. Kim G. Larsen 57

UCb TOV 2002, Lektion 3. Kim G. Larsen 58

UCb TOV 2002, Lektion 3. Kim G. Larsen 59